Mozilla Bumps Security Bug Bounty To $3,000 - Slashdot

Slashdot

Mozilla Bumps Security Bug Bounty To $3,000 73

Posted by kdawson on Friday July 16, 2010 @11:45AM
from the doing-well-by-doing-good dept.

Trailrunner7 writes "In an effort to enlist more help finding bugs in its most popular software — Firefox, Thunderbird, and Firefox Mobile — Mozilla is jacking up the bounty it pays to researchers who report security flaws to $3,000. 'For new bugs reported starting July 1st, 2010 UTC we are changing the bounty payment to $3,000 US per eligible security bug. A lot has changed in the 6 years since the Mozilla program was announced, and we believe that one of the best ways to keep our users safe is to make it economically sustainable for security researchers to do the right thing when disclosing information,' said Lucas Adamski, director of security engineering at Mozilla. In addition to Mozilla, Google also has established a bug bounty program — though at $500 it has been called 'insulting.' None of the larger software vendors such as Microsoft or Oracle have taken that step. Some researchers see that as inevitable, however."

This discussion has been archived. No new comments can be posted.

Mozilla Bumps Security Bug Bounty To $3,000

Search 73 Comments Log In/Create an Account

Comments Filter:

The actual criteria (Score:5, Informative)

by Anonymous Coward writes: on Friday July 16, 2010 @12:15PM (#32927402)
Mozilla also announced that the criteria for 'security bugs' require an attack vector that completely compromises the system from a remote location without internet connection. All other bugs are not treated as 'security' bugs, but rather: 'unwanted features', the bounty for this is of course limited to a 'quit complaining, you got it for free' letter.
OK, here are the actual criteria, fresh from TFA:
- Security bug must be original and previously unreported.
- Security bug must be a remote exploit.
- Security bug is present in the most recent supported, beta or release candidate version of Firefox, Thunderbird, Firefox Mobile, or in Mozilla services which could compromise users of those products, as released by Mozilla Corporation or Mozilla Messaging./li>
- Security bugs in or caused by additional 3rd-party software (e.g. plugins, extensions) are excluded from the Bug Bounty program.
Parent Share
twitter facebook linkedin
Re:Insulting? (Score:4, Informative)

by Lunix Nutcase (1092239) writes: on Friday July 16, 2010 @12:22PM (#32927518)

What entitlement? Finding these major exploits are not easy and can easily take weeks or months or work to uncover. To think that $500 is a sufficient payment to recompense them for their work is a joke. Especially when they can get anywhere from 10 to 100 times that by selling these exploits to the black market.

Parent Share
twitter facebook linkedin
Re:In related news... (Score:2, Informative)

by Chapter80 (926879) writes: on Friday July 16, 2010 @12:25PM (#32927548)

4 Insightful?
Did you mods even read this? Completely compromises the system from a remote location without internet connection?
Cmon!

Parent Share
twitter facebook linkedin
Bad Idea (Score:3, Informative)

by slasho81 (455509) writes: on Friday July 16, 2010 @01:02PM (#32928126)

Giving money for finding bugs is counterproductive. Here's why: http://www.youtube.com/watch?v=AIqtbPKjf6Q [youtube.com]

Share
twitter facebook linkedin
Re:Insulting? (Score:3, Informative)

by quickOnTheUptake (1450889) writes: on Friday July 16, 2010 @02:01PM (#32929014)

There is a big difference between a personal check from a legend and a check from a foundation or company. I would frame a check from Knuth; I would cash a check from Mozilla.

Parent Share
twitter facebook linkedin
Re:Oblig Dilbert Quote (Score:3, Informative)

by bunratty (545641) writes: on Friday July 16, 2010 @03:13PM (#32930254)

This is the exact reason for the disqualification criterion for the bug bounty [mozilla.com]
In concert with those changes, we are also updating the eligibility language to make it clear that Mozilla reserves the right to disqualify bugs from the bounty payment if the reporter has been deemed to have acted against the best interests of our users.

Parent Share
twitter facebook linkedin
Re:Insulting? (Score:3, Informative)

by gumbi west (610122) writes: on Friday July 16, 2010 @03:38PM (#32930738) Journal

No, Charlie Miller talks about much larger payouts from MS. He said, "I was shocked when I saw someone sign up to go after IE 8. You can get paid a lot more than $5,000 for one of those bugs. I’ve talked to a lot of smart, knowledgeable people and no one knows exactly how he did it. He could easily get $50,000 for that vulnerability. I’d say $50,000 is a low-end price point." here [zdnet.com].

Parent Share
twitter facebook linkedin
Re:Insulting? (Score:2, Informative)

by ewanm89 (1052822) writes: on Friday July 16, 2010 @04:23PM (#32931490) Homepage

Google bounty only applies to chromium, Mozilla bounty applies to all beta, rc and stable releases of all products and services.

Parent Share
twitter facebook linkedin

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

Related Links Top of the: day, week, month.

952 commentsUSA Calling For the Extradition of Snowden
696 comments"Dramatic Decline" Warning For Plants and Animals
668 commentsHow Colleges Are Pushing Out the Poor To Court the Rich
496 commentsDoD Descends On DEFCAD
487 commentsBBC Clock Inaccurate - 100 Days To Fix?

You need tender loving care once a week - so that I can slap you into shape. - Ellyn Mustard